200-301 Question #970: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. A network engineer started to configure port security on a new switch. These requirements must be met: - MAC addresses must be learned dynamically - Log messages must be generated without disabling the interface when unwanted traffic is seen Which two commands must be configured to complete this task? (Choose two)

Options

• ASW(ccnfig-if)#switchport port-security mac-address sticky
• BSW(config-if)#switchport port-security violation restriction restrict
• CSW(config-if)#switchport port-security mac-address 0010.7B84.45E6
• DSW(config-if)#switchport port-security maximum 2
• ESW(ccnfig-if)#switchport port-security violation shutdown

Explanation

To configure port security to dynamically learn MAC addresses and generate log messages without disabling the interface upon violations, the switchport port-security mac-address sticky command should be used for learning, and switchport port-security violation restrict for the desired violation mode.

Common mistakes.

• C. switchport port-security mac-address 0010.7B84.45E6 statically configures a MAC address, which contradicts the requirement for dynamically learned MAC addresses.
• D. switchport port-security maximum 2 limits the number of learned MAC addresses but doesn't fulfill the requirements for dynamic learning or the specific violation action.
• E. switchport port-security violation shutdown causes the interface to shut down when a security violation occurs, which goes against the requirement to NOT disable the interface.

Concept tested. Cisco switch port security configuration (sticky MAC, violation modes)

Reference. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_44_se/configuration/guide/scg/swportsc.html

No community discussion yet for this question.